diff --git a/README.md b/README.md
index 3114784..05f9d10 100644
--- a/README.md
+++ b/README.md
@@ -93,3 +93,17 @@ On [selfprivacy-nixos-infect](https://git.selfprivacy.org/SelfPrivacy/selfprivac
 ```bash
 readonly CONFIG_URL="https://git.selfprivacy.org/api/v1/repos/SelfPrivacy/selfprivacy-nixos-template/archive/HASH.tar.gz"
 ```
+
+## How to apply a change (e.g. CVE fix) to nixpkgs
+
+### if you can determine which nixpkgs package is affected
+
+- without building from source _(after nixpkgs binary cache is ready)_ - it will use all dependencies from the nixpkgs commit, where the patch is committed:
+
+    1. Find a nixpkgs commit, which contains the patched files. It doesn't have to be (but it can be) the commit where the actual patch was introduced, it can be a more recent commit.
+    2. In [`overlay.nix`](overlay.nix) file write a line inside the existing curly brackets following the following pattern:
+        ```nix
+        PACKAGE_NAME = (builtins.getFlake "github:nixos/nixpkgs/NIXPKGS_COMMIT_SHA1").legacyPackages.${system}.PACKAGE_NAME;
+        ```
+        Substitute `PACKAGE_NAME` and `NIXPKGS_COMMIT_SHA1` with affected package name and nixpkgs commit SHA1 (found at step 1), respectively.
+    3. Commit the [`overlay.nix`](overlay.nix) changes. Configuration is ready to be built.
diff --git a/configuration.nix b/configuration.nix
index 463994a..3eb2b11 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -149,6 +149,9 @@ in
     # allowed-uris = [];
     allow-dirty = false;
   };
+  nixpkgs.overlays = [
+    (import ./overlay.nix config.nixpkgs.hostPlatform.system)
+  ];
   services.journald.extraConfig = "SystemMaxUse=500M";
   boot.kernel.sysctl = {
     "net.ipv4.ip_forward" = 1; # TODO why is it here by default, for VPN only?
diff --git a/flake.nix b/flake.nix
index 5f1ed70..ff4826a 100644
--- a/flake.nix
+++ b/flake.nix
@@ -33,7 +33,7 @@
               environment.etc."selfprivacy/nixos-config-source".source =
                 top-level-flake;
 
-              # for running "nix search nixpkgs", etc
+              # for running "nix search nixpkgs", "nix shell nixpkgs#PKG... etc
               nix.registry.nixpkgs.flake = nixpkgs;
 
               # embed commit sha1 for `nixos-version --configuration-revision`
@@ -49,7 +49,7 @@
             }
           ]
           ++
-          # add SP modules, but contrain available config attributes for each
+          # add SP modules, but constrain available config attributes for each
           # (TODO revise evaluation performance of the code below)
           nixpkgs.lib.attrsets.mapAttrsToList
             (name: sp-module: args@{ config, pkgs, ... }:
diff --git a/overlay.nix b/overlay.nix
new file mode 100644
index 0000000..eb9b7a8
--- /dev/null
+++ b/overlay.nix
@@ -0,0 +1,10 @@
+system:
+_final: _prev:
+{
+  # Here is a template to bring a specific package from a given nixpkgs commit:
+  #   PACKAGE_NAME = (builtins.getFlake "github:nixos/nixpkgs/NIXPKGS_COMMIT_SHA1").legacyPackages.${system}.PACKAGE_NAME;
+  # Substitute `PACKAGE_NAME` and `NIXPKGS_COMMIT_SHA1` accordingly.
+  # If a package already exists it is overlaid (previous one gets inaccessible).
+  # roundcube CVE fix example (from nixpkgs PR (https://github.com/NixOS/nixpkgs/pull/332654)):
+  #   roundcube = (builtins.getFlake "github:nixos/nixpkgs/9e2f16514b23963621325d93920c9f896ec54ca3").legacyPackages.${system}.roundcube;
+}